Banking Laws Leave Business Customers Vulnerable to Internet Fraud

Many tax advisors tell their self-employed clients — including those who are “consulting” while looking for work — to open separate business bank accounts to make it easier to separate business and personal expenses for tax purposes.

Don’t do it.

This common tax advice could turn into a banking nightmare that puts every dollar in your business account at risk. Just ask Fan Bao of Los Angeles.

Bao, who runs a small import-export business, had $50,000 stolen from his bank account by computer hackers in Croatia. Bank of America has refused to reimburse him, saying the loss was his problem, not the bank’s.Had the money been stolen out of a personal account, the bank’s response would have been dramatically different. Federal law would have required the bank to reimburse Bao.

But, unbeknown to many, business and personal accounts are governed by completely different rules. Those rules protect individuals from online hacking but can leave small-business owners to twist in the wind.

Normally that would merely be worrisome. But it’s far more frightening now because technology and law enforcement experts believe there is a huge wave growing of sophisticated criminal enterprises that target small-business bank accounts.

Over the last year, the FBI, the Federal Deposit Insurance Corp. and the American Bankers Association have all warned banks about the threat. But many banks have outdated security systems that make their clients vulnerable, said Terry Austin, president and chief executive of Guardian Analytics, an online-security firm.

“We’re seeing increasingly sophisticated attacks,” Austin said. “But there’s been very little recent investment on the banking side. Banks need to do more to protect their customers.”

To understand the scope of the problem, Guardian Analytics recently teamed with the Ponemon Institute to study the prevalence of banking fraud on small businesses. The study found that 32 percent of the 500 small-business owners surveyed had been victimized by online banking fraud — and more than half of that group had been victimized more than once.

Bao provides one such example; he detailed his experiences in a lawsuit he has filed against BofA.

Bao runs his import-export business with his wife, Cathy Huang. They did most of their banking in person until two years ago, when they were talked into opening an online account that allowed them to send wire transfers to their suppliers overseas without trudging to their local branch.

The bank had them follow a series of security protocols and assured them their money was safe. But last summer, just weeks before BofA was set to implement a new security system, two fraudulent wire transfers were posted from Bao’s account — one for $99,100 and one for $50,000. Both were sent to a bank in Croatia that Bao had never done business with. In fact, he’d never sent money anywhere other than China.

Bank officials recognized that the transfers didn’t match Bao’s regular pattern and called to verify their authenticity. Huang was the “authorized agent” on the account, according to the lawsuit, but she was out of town at the time and so couldn’t respond immediately to the bank’s call. Consequently, the bank wouldn’t tell Bao what the problem was, and it allowed the transfers to go through.

When Huang reached the bank later in the day she declared the transactions fraudulent. By then, BofA was able to recover only the second transfer, for $99,100. The $50,000 transfer, executed earlier in the day, had already been withdrawn from the Croatian bank.

Bao asked BofA to reimburse him, but the bank said the loss was his problem.

The reason: Bao was a business customer, so his account was governed by the Uniform Commercial Code. That essentially allows the bank to lay out the conditions under which clients will — or won’t — be reimbursed for a loss.

BofA spokeswoman Shirley Norton said the bank believed Bao’s suit was without merit and intended to vigorously defend itself.

Austin of Guardian Analytics said the most common source of online banking fraud was a virus infecting the victim’s computer. Typically, he said, the business owner is taken in by a “spear-phishing” attack that could be so sophisticated that the victim is unaware of it.

Most consumers have received some sort of phishing e-mail, claiming to be an “account maintenance notice” from a bank or an “alert” from PayPal. These “Dear customer” e-mails, which are often rife with misspellings and funky grammar, are not personalized or sophisticated. They direct the victim to click on a link and provide personal information such as a Social Security or credit card number. Most consumers, if they click at all, come to their senses before plugging in their personal data.

Spear-phishing attacks, on the other hand, are professional looking, personalized and so clever that victims may not even realize they’ve been targeted.

“If you are a small businessman and you get a tax lien notice that has your name in the body of the e-mail and your e-mail in the subject line and it’s got a return address from your local county, you are likely to click on that,” said Doug Johnson of the American Bankers Association.

What can you do to protect yourself? If you have a very small business you’d be wise to do your banking through a personal account, where the legal protections are superior.

However, if you have a bigger enterprise that needs sophisticated business banking services, you need to be exceptionally careful when responding to e-mails.